Posted by Erland Sommarskog on 07/21/05 01:04

Matt (mattmorgan64@msn.com) writes:
> I'm running SQL server 2000, on W2K server. All the latest patches/etc
> for both installed.
>
> I've a need to allow remote access to the DB. I have a strong password
> on the sa account, and have completed the various security checklists
> on the MS website, including running the baseline security program they
> provide.
>
> Due to the nature of the application, windows authentication is not
> possible.
>
> Besides someone trying to hack in via a password guess, are there any
> other things I need to worry about? Again, all the latest patches and
> what not are installed.

I assume with remote access, you mean permit access to it from the
Internet.

First make sure an extra time that @@version reads at least 8.00.818.

But, no, you cannot sleep well at night despite of that. With SQL
authentication there is no protection against brute force attacks, so an
intruder can just keep on hammering. You can of course audit failed logins,
but you may go and check that log every day.

Note also that the password is not really encrypted when sent over the
wire. It's more some sort of obfustication that can be cracked without
too much effort.

I don't really have any suggestions for how to address this, although
it could be possible to build some proxy that has better protection. I
would not be surprised if such third-party tools are available.

One thing to consider, is to isolate this machine from the rest of
your network as much as possible, so that if someone sneaks in, he
gets no further.

--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinfo/productdoc/2000/books.asp

[Back to original message]